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A  Classical  Automata  Approach  to  Noninterference  Type  Problems 
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Code  5543 

Naval  Research  Laboratory 
Washington,  DC  20375-5000 

Abstract 

Using  classical  automata  theory  we  show  how  nonin¬ 
terference  can  be  viewed  as  a  relatively  simple  phe¬ 
nomenon.  We  also  give  direction  for  future  work  con¬ 
cerning  probabilistic  security  problems  using  classical 
automata  theory. 

1  Introduction 

Many  models  have  been  proposed  to  model  a  secure 
computer  system.  Some  of  the  representative  early 
models  are  by  Harrison  et  al  [10],  Denning  [4],  and  the 
often  mentioned  Bell-LaPadula  model  [3].  Depending 
on  how  one  interprets  concepts  such  as  “subject/user” 
and  “object”  it  is  not  clear  whether  or  not  covert  chan¬ 
nels  are  taken  into  consideration  in  these  models. 

Noninterference  [6,  7]  was  a  concrete  approach  at  pre¬ 
venting  improper  information  flow  in  a  deterministic 
system.  Nondeducibility  [21]  was  a  more  abstract  at¬ 
tempt  at  looking  at  possible  non-secure  information 
flow  in  a  secure  system,  i.e. ,  a  covert  channel.  Restric¬ 
tiveness  [12,  13]  was  ostensibly  developed  as  a  non- 
deterministic  analog  of  noninterference  to  repair  pur¬ 
ported  problems  involved  with  “hooking  up”  secure 
systems.  Probabilistic  interference  [8]  arose  to  analyze 
situations  in  nondeterministic  systems  that  could  be 
interpreted  probabilisticly.  FM  [15]  and  its  successors 
[9]  are  other  attempts  to  understand  information  flow 
via  probability  theory.  Also,  several  authors  (including 
these)  have  used  probability  theory  to  analyze  covert 
channels  via  information  theory. 

Moskowitz  previously  investigated  probabilistic  chan¬ 
nels  using  a  technique  similar  to  that  for  fibre  bun¬ 
dles  [17]  to  try  to  get  a  better  theoretical  handle  on 
problems  dealing  with  restrictiveness  and  probability. 
In  this  paper  we  propose  a  simpler  model  for  under¬ 
standing  information  flow.  We  use  the  techniques  of 
classical  automata  theory,  as  first  explicated  by  Rabin 
and  Scott  [19],  to  set  up  our  model.  To  quote  from  the 
NCSC  Integrity  report  [5,  p.  75],  “A  significant  ad¬ 
vantage  of  having  the  model  based  on  a  standard  no- 
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tion  like  the  automaton  is  that  extensive  literature  and 
well-developed  intuition  become  immediately  applica¬ 
ble  to  the  problem  domain.”  Many  of  the  non-standard 
state  machine  models  used  in  previous  models  of  com¬ 
puter  security  are  rather  complicated,  and,  we  believe, 
unnecessarily  so.  Nature  is  not  always  beautiful,  but 
most  of  the  time  it  is.  This  is  not  to  say  that  these 
models  are  incorrect  or  useless.  On  the  contrary,  they 
might  be  more  useful,  in  certain  cases,  than  what  we 
propose  when  trying  to  apply  the  theory  to  actual  sit¬ 
uations.  Our  contention  is  that  they  are  more  than 
what  is  needed  to  understand  the  basic  properties. 

The  descriptive  power  of  the  model  that  we  describe 
in  this  paper  is  its  ease  of  expression  and  its  ability  to 
capture  deterministic,  nondeterministic,  and  hopefully 
probabilistic  situations  in  one  simple  model.  Hopefully, 
this  will  be  a  useful  tool  for  reasoning  about  security 
(to  paraphrase  McLean  [14]).  We  feel  that  our  deter¬ 
ministic  model  is  the  correct  model  for  noninterference 
type  properties.  The  nondeterministic  model,  that  we 
construct  in  the  manner  of  classical  automata  theory, 
is  not  the  same  as  that  for  restrictiveness,  as  in  [13]. 
An  advantage  of  our  models  is  that  the  nondetermin¬ 
istic  model  contains  the  deterministic  one  as  a  special 
case. 

One  beauty  of  classical  automata  theory  is  the  way 
complex  systems  can  be  represented  by  a  very  simple 
model.  One  does  not  need  to  worry  about  outputs  or 
internal  events.  If  the  automaton  is  carefully  defined 
one  need  only  concern  oneself  with  inputs  and  the  state 
changes  that  they  induce.  As  shown  in  Arbib  [1]  we  can 
always  include  outputs  as  part  of  the  state  of  the  sys¬ 
tem.  Any  internal  events  are  in  fact  caused  by  earlier 
input  taking  the  system  to  a  certain  state.  We  will  ex¬ 
pand  on  these  ideas  later  in  the  paper.  We  note  that 
Jacob,  by  using  a  category  theoretic  approach  [11],  has 
also  expressed  noninterference  in  a  compact  form. 

2  Automata  Theory 

Our  notation  will  roughly  follow  that  of  Bavel  [2]. 
Given  a  finite  set  £,  let  £*  be  the  free  monoid  over 
£.  In  other  words  £*  is  made  up  of  all  finite  se¬ 
quences  (called  strings  or  words)  from  elements  of  £. 
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The  empty  sequence  is  denoted  by  e  and  acts  as  the 
multiplicative  identity.  The  multiplication  is  given  by 
concatenation. 

Definition  1  An  automaton  is  a  triple  A  =  ( S ,  E,  8), 
where 

(1)  S  is  a  finite  set  (of  states) 

(2) Yj  is  a  nonempty  finite  set  (the  input  alphabet) 

(3)  8  :  S  xS*  — >■  S  is  a  (transition)  function  satisfying 
Vs  E  S  and  X/x,y  £  E*,  8(s,xy)  =  8(8(s,  x),  y)  and 
8(s,e)  =  s,  where  e  is  the  null  sequence  in  E*. 

Notice  that  there  is  no  mention  of  outputs  in  this  defi¬ 
nition.  Some  authors  also  include  an  initial  state  and  a 
set  of  accepting  (or  final)  states.  Accepting  states  are 
not  of  interest  to  us  here  because  we  are  not  explicitly 
concerned  with  what  languages  the  automaton  recog¬ 
nizes.  We  are  only  concerned  with  observable  state 
changes.  Initial  states  will  be  discussed  later. 

We  will  first  briefly  discuss  outputs  and  then  see  that 
they  are  not  necessary. 

Definition  2  An  automaton  with  outputs  is  the  5- 
tuple  M  =  (S,  E,  6,  Y,  A),  where  S,  E,  and  8  are  as  m 
Defi  1.  The  set  Y  is  referred  to  as  the  set  of  outputs 
and  A  is  the  output  function  A  :  S  x  E  — >■  Y . 

Notice  that  the  output  is  determined  solely  by  the  in¬ 
put  and  state.  Also  note  that  in  this  definition  the 
output  function  does  not  change  the  state  of  the  sys¬ 
tem.  (This  definition  can  be  modified  to  look  at  output 
strings  (or  traces)  by  redefining  A  so  that  Vs  £  S  and 
X/x,y  £  E*,  A (s,xy)  =  X(s,x)X(6(s,x),y)  .)  It  is  the 
effect  of  inputs  that  concerns  us.  Modeling  the  outputs 
is  superfluous  as  we  shall  see. 

In  [1]  Arbib  describes  a  state-output  machine,  which 
negates  the  necessity  of  our  worrying  about  outputs  as 
long  as  we  choose  our  states  properly. 

Definition  3  An  automaton  with  outputs  is  a 
state-output  machine  if  3 (3  :  S  —>■  Y  such  that  A  =  (3o8 . 

The  function  (3  need  not  always  exist.  It  depends 
on  how  the  system  arrived  at  the  state  in  question. 
In  other  words  we  may  have  an  automaton  with  out¬ 
puts  such  that  A(si,*i)  =  t/i,  A(s'1,*,1)  =  y[,  and 
(5(si,*i)  =  6(8),  xf),  but  t/i  y[.  The  function  (3  does 
not  exist  in  this  case.  The  essence  of  (3  is  that  it  at¬ 
taches  to  the  state  s  the  output  that  goes  along  with 
it  that  resulted  from  an  input  taking  a  previous  state 
into  s. 

It  is  an  important  fact  that  every  automaton  with  out¬ 
put  can  be  viewed  as  a  state-output  machine.  To 
do  this  we  replace  every  state  s  by  the  set  S  = 
{[s,2/]  |  3s'  £  S,  3x  £  E,  such  that  8(s',x)  =  s  and 
X(s',  x)  =  y}.  Accordingly,  we  can  define  a  new  8  and 
A,  denoted  by  8  and  A,  respectively  by  5([s,  ?/],*)  = 
[i)(s,  x),  X(s,  x)]  and  A([s,  y\,x)  =  A(s,  x).  The  function 


/ 3  in  this  case  maps  [s,  y\  —>■  y.  Thus  we  may  replace 
the  entire  set  S  by  S,  where  S  is  all  such  [s,  y\  and  use 

8  and  A.  The  important  fact  to  keep  in  mind  is  that 
the  input  alphabet  has  not  changed  nor  has  the  way 
inputs  transition  states  really  changed.  This  only  fine- 
tunes  the  transitions  to  include  the  outputs  along  with 
the  state  changes.  Due  to  this  we  view  all  automata 
with  outputs  as  state-output  machines  (via  the  above 
construction).  However,  in  a  state-output  machine  the 
information  about  A  is  superfluous  because  the  outputs 
are  incorporated  into  the  states.  That  is,  we  need  not 
consider  the  output  function  in  reasoning  about  the  se¬ 
curity  of  such  systems,  since  knowing  the  current  state 
embodies  knowing  the  current  output. 

The  above  justifies  our  use  of  automata  as  a  model 
for  our  computer  system.  We  do  not  have  outputs  or 
internal  events  causing  state  transitions,  as  do  McCul¬ 
lough  and  others.  This  is  because  internal  events  and 
outputs  are  caused  by  inputs.  In  our  thinking  the  sys¬ 
tem  starts  in  a  benign  (not  necessarily  unique)  initial 
state  and  inputs  move  it  out  of  this  initial  state.  Out¬ 
puts  arise  from  inputs  and  internal  events  are  caused 
by  previous  input  moving  the  system  into  a  state  that 
is  prepared  to  transition  to  yet  another  state.  One 
can  consider  the  next  state  from  an  input  which  trig¬ 
gers  internal  events  as  the  sequences  of  states  passed 
through,  which  can  be  represented  as  a  single  state  in 
our  model.  (We  address  models  that  view  each  inter¬ 
nal  transition  as  a  separate  state  in  the  digression  at 
the  end  of  section  4.) 

We  do  not  model  the  time  between  state  transitions. 
Our  model  only  allows  us  to  talk  about  before  and 
after  with  respect  to  state  transitions,  and  our  previous 
comments  show  that  this  is  sufficient  for  our  present 
purposes.  For  security  our  concern  is  can  high  inputs 
affect  what  low  “sees” .  We  are  certainly  not  the  first  to 
be  concerned  with  this  issue.  However,  an  aim  of  our 
model  is  to  make  the  security  issues  more  transparent 
and  amenable  to  many  kinds  of  analysis. 

3  Carpe  States 

An  assumption  that  must  be  made  clear  is  exactly  how 
Low  “sees  the  states” .  A  state  is  a  vector  of  variable 
values.  The  values  of  the  variables  determine  what 
state  the  system  (automaton)  is  in.  These  variables, 
the  objects  of  the  secure  system,  are  designated  either 
low  or  high.  The  high  user  (High)  knows  the  value 
of  the  entire  state  vector,  whereas  the  low  user  (Low) 
knows  only  the  values  of  the  low  variables.  In  other 
words,  Low  does  not  see  complete  states  and  there¬ 
fore  cannot  distinguish  between  states  which  differ  only 
in  the  values  of  the  high  variables.  This  corresponds 
to  McCullough’s  treatment  of  states.  Note  that  our 
states,  by  assumption  of  the  state-output  construction 
discussed  in  the  previous  section,  include  the  outputs 
as  state  variables.  Hence  Low,  in  a  sense,  can  see 
the  low  outputs  while  High  can  see  all  of  the  outputs. 
Of  course  implicit  is  that  the  users  are  able  to  deter¬ 
mine  the  values  of  the  appropriate  variables  by  some 
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assumed  means. 

Our  systems  are  input  total.  This  is  reflected  math¬ 
ematically  by  having  6  defined  as  a  function,  not  a 
partial  function.  The  transition  function  has  as  its  do¬ 
main  S  x  E*  .  Any  state  and  any  input  result  in  another 
(possibly  the  same)  state.  We  view  the  automaton  as 
starting  in  an  initial  state  with  all  of  the  high  variables 
“zeroed  out” .  We  would  not  want  the  automaton  to 
start  in  an  initial  state  whose  high  variables  contained 
the  instruction  “after  the  next  three  low  inputs 
do  something  to  the  low  state  variables”.  We 
need  a  secure  beginning  for  the  system.  We  need  this  to 
make  sure  that  only  inputs  along  with  possibly  prior 
low  information  already  in  the  system  can  influence 
where  the  system  is  going.  Our  security  concern  be¬ 
comes  high  inputs  cannot  affect  the  low  state  variables. 
We  will  make  this  precise  later  in  the  paper.  Below 
is  our  definition  for  security,  which  is,  of  course,  simi¬ 
lar  to  Goguen  and  Meseguer’s  definition  of  noninterfer¬ 
ence  [6,  7]  and  McCullough’s  state  based  definition  of 
restrictiveness  [12].  Elements  of  E  in  our  model  corre¬ 
spond  to  user-command  pairs  of  Goguen  and  Meseguer, 
i.e. ,  E  =  U  x  C  where  U  =  users  and  C  =  commands. 

4  Deterministic  Secure  System  Model 

Definition  4  We  say  that  an  automaton  is 
double  level  if  there  are  two  and  only  two  users  desig¬ 
nated  as  High  and  Low,  and  that  the  inputs  come  from 
either  High  or  Low,  but  not  both. 


We  will  assume  for  the  rest  of  the  paper  that  all  of 
our  automata  are  double  level.  We  refer  then  to  the 
inputs  as  low  or  high  inputs.  Notice  then  that  E  is  the 
disjoint  union  of  Ex,  (the  low  inputs)  and  E h  (the  high 
inputs). 

Definition  5  We  say  that  s o  is  a  secure  initial  state  if 
no  high  inputs  have  yet  been  entered  into  the  machine. 

In  other  words,  a  state  is  a  secure  initial  state  if  no  high 
information  has  yet  affected  the  high  state  variables. 

Definition  6  Given  s\,s2  £  S  we  say  that  si  and  s 2 
are  egmvalent,  written  si  ~  s 2,  iff  the  low  state  vari¬ 
ables  of  si  and  s 2  have  the  same  values. 

This  is  obviously  an  equivalence  relation  on  S  and  we 
may  form  the  quotient  set  5'/~  and  the  quotient  (or 
projection)  map  7r  :  S  —>■  S/~  . 

Definition  7  Define  F  :  E*  — >■  E^  ,  by  F(w)  = 
F(xi)  ■  ■  ■  F(xn),  where  w  =  x\---xn  and  each  X{  E 
E  U  {e},  and 


F(xi) 


Xi  if  Xi  E  Ex 

e  if  Xi  E  E#  U  {e}  . 


Note  that  F  is  an  onto  homomorphism  of  free  monoids 
and  that  F  restricted  to  E^  is  just  the  identity  map. 
In  fact  F  is  just  the  purge  map  discussed  by  others 
[22].  All  of  this  leads  us  to  a  definition  of  a  Secure 
Deterministic  Automaton  (SDA). 

Definition  8  (SDA)  Given  a  system  represented  by 
both  an  automaton  A  =  (S,  E ,  <5)  and  a  secure  initial 
state  so,  we  say  that  the  system  is  a  Secure  Determin¬ 
istic  Automaton  if: 

(F)  The  map  8  :  S'/~  x  E^  — >■  S'/~,  given  by 

<5([s],wx)  =  [<5(s,  idx)],  where  [s]  E  S'/~  and  wl  E  Ejl, 
is  well-defined. 

(2)  The  following  diagram,  referred  to  as  the  Deter¬ 
ministic  Security  Diagram  (DSD)  is  commutative  - 

8 

Sx  E*  - ►  S 


7T  X  F 


7T 


sy-xE^  - -  s/~ 

6 

Let  us  analyze  the  DSD  to  see  why  we  require  such 
a  definition  for  security.  First  of  all,  the  map  8  must 
be  well-defined  for  a  system  to  be  secure.  Suppose 
that  si  ~  s2,  i.e.,  [si]  =  [s2].  If  (S(si,wL)  8(s2,wL) 
then  Low  can  tell,  by  inputting  wl,  that  si  and  s2 
are  different  elements  of  S.  This  is  a  security  violation 
for  then  Low  would  have  more  information  than  just 
the  values  of  the  low  state  variables!  It  is  possible 
that  High  could  manipulate  the  automaton  into  state 
si  or  s2  through  a  series  of  (not  necessarily  consecutive) 
inputs.  This  would  allow  a  covert  channel  to  be  opened 
up  between  High  and  Low.  Therefore  [i)(si ,  u>x)]  = 
[i)(s2,  Wi)]  is  a  requirement. 

Secondly,  the  diagram  must  commute.  Since  F  re¬ 
stricted  to  E^  is  the  identity  map  the  only  way  that 
the  diagram  could  not  commute  would  involve  an  ele¬ 
ment  of  xh  E  E h  and  an  s  E  S  such  that  8(s,  xh) 
(5(s,e)  =  s.  If  High  inputs  can  affect  the  equivalence 
class  of  a  state  then  Low  will  know  that  High  input 
something.  Therefore  this  cannot  be  allowed. 

The  DSD  also  satisfies  the  Bell-LaPadula  condition 
which  forbids  reads  up  and  writes  down.  The  no  read 
up  policy  is  enforced  by  the  fact  that  Low  has  knowl¬ 
edge  only  of  the  Low  state  variables.  Since  we  are  not 
concerned  with  aggregation  [16]  problems  all  high  in¬ 
formation  must  come  from  high  input.  Since  high  input 
is  not  allowed  to  change  low  state  variables  and  we 
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started  in  a  secure  initial  state  no  write  down  is  also 
enforced. 

Digression:  Implicit  in  our  construction  of  the  automa¬ 
ton  and  description  of  the  state  variables  is  that  the 
users  do  not  see  any  of  the  intermediate  processing  of 
the  state  transitions.  If  intermediate  states  were  in 
fact  visible  states  to  the  users  then  internal  transitions 
might  be  a  problem  in  our  model.  Of  course  then  8 
would  have  to  be  modified  to  be  a  partial  function  and 
we  would  lose  input  totality.  This  is  not  a  serious  prob¬ 
lem  however,  since  a  system  with  a  partial  function  8 
can  be  represented  as  a  particular  kind  of  nondeter- 
ministic  automaton.  We  will  see  that  these  are  behav- 
iorally  equivalent  to  (input  total)  deterministic  ones. 
End  of  Digression 

4.1  Unwinding 

In  the  spirit  of  Goguen  and  Meseguer  [7]  we  will  exam¬ 
ine  an  unwinding  theorem. 

Theorem  1  A  system  is  a  SDA  iff  the  DSD  holds  (is 
well-defined  and  commutes )  with  E*  and  TAL  replaced 
by  E  and  Eq  U  e  ,  respectively. 

Proof:  Note  that  the  map  F  never  increases  the  length 
of  strings. 

Holds  with  *  =>•  holds  without  *)  Trivial. 

Holds  with  *  -t=  holds  without  *)  This  is  a  straight¬ 
forward  induction  proof  which  we  show  only  for  com¬ 
mutativity.  The  fact  that  6  is  well-defined  follows  in  a 
similar  (and  simpler)  fashion. 

(a)  -  Commutativity  holds  for  strings  of  length  up  to 
1.  This  follows  from  the  assumptions. 

(b)  -  Assume  commutativity  holds  for  strings  of  length 
up  to  n  —  1.  This  is  the  induction  hypothesis. 

(c)  -  We  show  commutativity  holds  for  strings  of  length 
n.  Say  w  E  E*  and  w  =  x\  -  ■  ■  xn_\  ■  xn,  where 
each  X{  E  E.  Following  the  DSD  diagram  from 
the  top  to  the  right  we  have  that  (s,  x\  ■■■x„-i  ■ 

Xn)  >■  8(s ,  X\  •  •  *  Xn  —  i  •  £n)  [*5(s,  ^1  *  *  '  %n  —  1  '  )]  • 

We  have  to  follow  the  diagram  from  the  left  to  the 
bottom  and  see  if  we  get  the  same  thing.  Hence, 

(s,  x\  •  •  •  xn  —  i  •  xn)  ([s],  A(^i)  •  •  *T(xn_i) 

F(xn)  )  -i  [<5(s,  F(xi)  ■  ■  ■  F(xn_i)  ■  F(xn)\.  So  we 
now  need  to  show  that 

(5(s,  F{x i)  •  •  •  F{xn _ i) •  F{xn )  )  ~  X\  •  •  • xn  —  \-xn ). 

(i) 

By  the  definition  of  6  we  see  that  S(s,  x\  ■  ■  ■  x„-i-x„)  = 
8(8(s,  xx  •  •  -iCn-i),  xn)  and  8(s,  F(xi)  ■  ■  ■  F(xn-i)  ■ 
F(xn)  )  =  8(8(s,  F{x1)yF(xn-1)  ),  T(*n)  )  . 
By  step  (b)  of  the  induction  we  are  assuming  that 
8(s,  F(x i)  •  •  -F(xn- 1)  )  ~  8(s,  xi  ■  ■  .  There¬ 

fore  we  may  apply  step  (a)  of  the  induction  to  get  equa¬ 
tion  (1)  above.  | 


5  Nondeterminism 

McCullough  looked  at  nondeterministic  systems  when 
he  defined  restrictiveness,  though  his  model  is  compu¬ 
tationally  different  that  ours.  Our  model  easily  gen¬ 
eralizes  to  the  nondeterministic  case  in  the  spirit  of 
classical  automata  theory.  We  use  the  notation  p(X) 
for  the  power  set  of  X . 

Definition  9  A  nondeterministic  automaton  is  a 
triple  A  =  (S,  E,  6),  where 

(1)  S  is  a  finite  set  (of  states) 

(2) Yj  is  a  finite  nonempty  set  (the  input  alphabet) 

(3)  8  :SxE*  — >■  p(S)  is  a  (transition)  relation  satisfy¬ 
ing  Vs  E  S  and  Mx,  y  E  E* ,  8(s,  xy)  =  U{5(s/,  y)  \  s'  E 
8(s,  x)}  and  8(s,  e)  =  s,  where  e  is  the  null  seguence  m 
E*. 

In  other  words  given  a  state  s  and  a  word  w, 
8(s,w)  is  a  subset  of  S.  The  transition  rela¬ 
tion  8(s,w)  can  be  thought  of  as  a  set  of  triples 
{(s,  w,  si),  (s,  w,  S2),  •  •  • ,  (s,  w,  sn ) } .  Each  s8-  is  a  state 
to  which  the  automaton  might  transition,  given  that 
the  automaton  is  presently  in  state  s  and  w  is  the  input 
string.  We  can,  as  before,  obtain  a  security  diagram  by 
replacing  S  by  p(S)  and  generalizing  the  equivalence 
relation  ~. 

Definition  10  If  A,  B  E  p(S)  we  say  that  A  is  eguwa- 
lent  to  B,  written  A  ~  B,  iff  for  each  slA  E  A  3  s3B  E  B 

such  that  slA  ~  s3B  and  visa  versa.  Where  with  re¬ 
spect  to  states,  is  as  before  m  the  deterministic  case. 

All  we  are  doing  is  extending  the  definition  of  ~  so 
that  instead  of  state  equivalence  we  can  also  talk  about 
equivalent  subsets  of  S.  We  use  ~  for  both  relations, 
letting  context  be  the  arbiter.  Since  ~  is  an  equivalence 
relation  on  p(S),  we  can  define  the  quotient  set  p(S')/~ 
and  the  quotient  mapping  p(7r)  :  p(S)  —>■  p(S')/~. 

Theorem  2  There  is  a  1-1  and  onto  mapping  between 
p{S)/~  and  p(S/~). 

Proof:  The  map  7r  induces  a  map  7r  :  p(S)  —>■  p(S/~) 
as  follows.  If  A  E  p(S),  A  =  {cq,  •  •  • ,  an]  then  7t(A)  = 
{[fl*i]i'")[aim]}i  where  aq  E  A  and  each  aj.  E  A  is 
equivalent  to  one  and  only  one  of  the  cq  .  This  map  is 
clearly  onto. 

Suppose  A  ~  B,  (in  other  words  [A]  =  [B]  as  elements 
of  p(S')/~  ),  where  A  =  {cq,  •  •  • ,  an}  and  B  = 

{bi,  ■  ■  ■  ,bm}.  Consider  [s]  E  7r(A).  Then  there  is  an 
cq  ~  s,  cq  E  A  such  that  3 bj  E  B  such  that  [cq]  = 
[&j].  Therefore  [s]  =  [cq]  =  [&j]  E  V(5).  Similarly 
we  can  show  that  7 t(B)  C  V(A).  We  conclude  that 
7 r(A)  =  7 i(B).  Hence  we  can  “push”  the  map  7r  down 
to  p(S')/~  and  induce  a  map  <f>  which  is  well-defined. 
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Definition  11  (SNA)  Given  a  nondeterministic  sys¬ 
tem  represented  by  both  a  nondeterministic  automaton 
A  =  (S,Y,8)  and  a  set  of  secure  initial  states  So,  we 
say  that  the  system  is  a  Secure  Nondeterministic  Au¬ 
tomaton  (SNA)  if: 

(1)  The  map  6  :  S/  ~  x  Y*L  — >■  p{S)/  given 

by  i5([s],Wi)  =  [{<5(s,  wl)}],  where  [s]  £  S/  ~  and 
wl  £  Y*l,  is  well-defined. 

(2)  The  following  diagram,  referred  to  as  the  Nonde¬ 
terministic  Security  Diagram  (NSD)  is  commutative  - 

8 

SxY*  - p(S) 


Suppose  that  7 r(A)  =  7 t(B).  Then  given  s  £  A  3s'  £  B 
for  which  s'  ~  s  and  visa  versa.  Hence  [A]  =  [ B ], 
therefore  <f>  is  1-1.  Since  7f  is  onto  so  is  <f>.  | 


Because  of  this  mapping  we  can  freely  interchange  be¬ 
tween  p(S')/~  and  p(S'/~)  througout  the  rest  of  the 
paper. 


Example 
A  =  {s 


l 

A  >  • 


’A’  °A  J  ! 


B 


and 


Al> 


yi- 


Sg .  So  A  ~  B  and  [A]  = 


As  in  the  deterministic  case  we  have  the  well  known 
paradigm  that  a  high  input  should  not  change  the  state 
to  a  nonequivalent  state.  Also  Low  should  not  be  able 
to  distinguish  between  subsets  of  p(S')/~.  In  the  deter¬ 
ministic  case  our  concern  was  with  equivalence  classes 
of  elements.  Now  in  the  nondeterministic  case  we  have 
to  be  concerned  with  sets  of  equivalence  classes. 


Example 

Consider  the  states  a,  b,  b' ,  c,  c' ,  d,  d! ,  e,  e'  £  S  such  that 
b  ~  b' ,  c  ~  c' ,  d  ~  d! ,  but  e  rf,  e' .  Consider  w  £  Y*L  , 
w  =  XgXg.  Suppose  Xg  can  take  a  to  either  b,  b' ,  c  or 
c' ;  and  x2L  can  take  b  to  d  and  c  to  e,  and  x2L  can  take 
b'  to  d!  and  c'  to  e'.  On  the  quotient  level  Low  sees 
two  different  possible  transition  scenarios 

{[«]}-{[&],  Ml  -2{[4[e]}  or 

{[«]}-  {[&'],  Ml  -{[4[e']|. 

The  above  example  is  certainly  not  good  from  a  se¬ 
curity  point  of  view.  Low  can  know  that  there  is  a 
difference  between  {[&],  [c] }  and  {[&'],  [c']|  because  the 
same  input  string  takes  one  to  non-equivalent  states. 
This  in  turn  means  that  the  sequence  of  states  passed 
through  must  be  different.  But  they  were  supposed  to 
be  equivalent  to  the  low  user. 

From  our  above  discussion  and  example  we  see  that 
the  analog  of  SDA  to  the  nondeterministic  case  is  the 
following: 


7T  X  F 


pM 


ShxYf  - -  p(S)/~ 
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Of  course  we  get  a  similar  version  of  the  unwinding 
theorem  for  the  nondeterministic  case. 

Theorem  3  A  system  is  a  SNA  iff  the  NSD  holds  (is 
well-defined  and  commutes )  with  £*  and  Y*L  replaced 
by  Y  and  Yl  U  e  ,  respectively. 

Proof:  Follows  just  as  in  the  deterministic  case.  | 

Of  course  every  deterministic  system  is  a  special  case 
of  a  nondeterministic  system,  i.e. ,  the  transitions  map 
into  the  singleton  subsets  of  p(S).  Hence,  the  above 
definition  of  NS  A  actually  includes  DSA  as  a  special 
case.  Hence,  we  can  see  then  how  noninterference  gen¬ 
eralizes  in  the  nondeterministic  case. 

Finally,  we  note  that  the  subset  construction  of  Rabin 
and  Scott  [19]  can  be  applied  to  the  nondeterministic 
systems  presented  here.  Given  a  SNA,  A  =  (S,Y,8) 
with  a  set  of  initial  states  So,  we  can  define  a  SDA, 
p(A)  =  (p(S'),  Y,  p(8)  )  with  initial  state  So  by  defining 
P(«)  :  P(S)  x  £*  ^  p(S)  by  p(8)(B,x)  =  U{8(b,x)  \ 
b  £  B}  for  x  £  Y  and  using  a  recursive  definition  to 
extend  p(8)  to  Y* .  It  is  well  known  that  the  resulting 
SDA  p(A)  completely  mimics  the  behavior  of  A  with 
respect  to  state  transitions  and  sets  of  input  strings. 
For  systems  with  output  or  accepting  states  this  be¬ 
havior  is  also  captured.  We  state  without  proof: 


Theorem  4  Every  SNA  is  behaviorally  eguivalent  to 
an  SDA  with  the  same  input  set  £*. 

Corollary:  The  requirement  of  input  totality  for  SDA’s 
can  be  removed  with  no  loss  of  generality  in  the  model. 
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Proof:  Let  A  =  ( S ,  E,  6)  be  an  SDA  except  that  6  :  S  x 
E  —>  S  is  a  partial  function.  Construct  p(A)  and  notice 
that  p(8),  when  restricted  to  {({s},*)  |  s  £  S,  x  £  E} 
yields  either  a  singleton  or  the  empty  set.  Thus  p(A) 
has  the  same  behavior  as  the  given  SDA  with  partial 
transition  function  6.  Moreover,  p(A)  has  the  same 
behavior  as  a  deterministic,  input  total  machine.  | 

6  Future  Work 

We  believe  that  the  commutative  diagram  approach 
that  we  started  in  [17]  and  continued  here  can  give  a 
simple  model  for  detecting  probabilistic  channels.  In 
fact,  the  NSD  diagram  should  have  the  obvious  ana¬ 
log  in  the  probabilistic  case.  By  this  we  mean  a  covert 
channel  that  arises  by  High  and  Low  knowing  the  prob¬ 
abilities  associated  with  nondeterministic  transitions. 
Of  course  this  all  boils  down  to  Shannon’s  [20,  18] 
analysis  of  discrete  noisy  channels.  We  feel,  similar 
to  McLean  [15],  that  a  simple  conditional  probability 
statement  should  suffice  to  show  that  the  bandwidth 
of  the  probabilistic  channels  is  zero.  Of  course  we  feel 
that  only  input  strings  need  to  be  considered  in  the 
conditional  probabilities.  Gray  [9]  has  looked  at  similar 
ideas  but  his  model  involved  more  complex  alphabets 
than  just  input  strings;  however,  as  we  have  discussed 
we  feel  that  modeling  in  this  detail  is  too  complex.  For 
an  abstract  tool,  we  feel  that  an  Ockham’s  razor  ap¬ 
proach  is  the  most  fruitful. 

We  also  plan  to  discuss  various  compositions  of  SDA’s 
and  timing  channels  in  future  research. 
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